Starting April 1, 2026, income tax authorities will gain access to individuals’ social media accounts, personal emails, bank accounts, online investments, trading accounts, and more.
Experts warn that this raises serious data privacy concerns, including the risk of mass surveillance, misuse of personal data, and potential concerns for foreign investments.
As per the new bill, authorities will have the power to override digital platform access if they suspect tax evasion or undisclosed assets, including money, gold, jewelry, or property, on which taxes have not been paid under the Income Tax Act, 1961.
Reportedly, some anonymous tax officials have dismissed concerns as fear-mongering, stating that such powers "already existed" under the 1961 Act. They clarified that access to digital platforms is only enforced during search or survey operations and only if the individual refuses to share passwords for digital storage, emails, or communication platforms like WhatsApp.
They also noted that only about 1% of the 8.79 crore annual ITR filings are selected for scrutiny and that the new provisions on "virtual digital space" do not apply to regular scrutiny cases—only during active search or survey actions.
But does this fully address the concerns?
Alluding to the clarification, Supreme Court Advocate-on-record, Talha Abdul Rahman, pointed out that the government already has a Financial Intelligence Unit (FIU) dedicated to gathering financial data. "The FIU collects information from car dealers, Regional Transport Offices, property sub-registrars, and even jewellers after demonetisation," he said.
"Even today, if you buy a significant amount of gold, you’re required to disclose your PAN number. Everything is already being tracked," he said.
Rahman noted that existing mechanisms already monitor financial activities, questioning the need for additional surveillance. "When laws like UAPA and PMLA were introduced, it wasn’t meant for everyone but the scope keeps expanding."
The advocate cautioned that in a system where laws are often weaponised, no assurance can be given that new powers will be used only against a specific group. "While income tax laws affect only a fraction of the population, the potential for misuse cannot be ignored," he warned.
What does the new bill say?
The new Income Tax Bill, 2025, expands the powers of tax authorities, potentially allowing them to access a suspect’s electronic devices, social media, and email accounts.
Section 247 of the Bill, which deals with search and seizure, lets officials enter any place they believe holds records of tax violations, break open doors and locks, and seize documents they find suspicious.
They can also force individuals to grant access to their records or computer systems. While similar powers existed under Section 132 of the Income Tax Act, 1961, the new bill gives officials even more authority.
Section 247(b)(iii) specifically states that officials can “break open the lock of any door, box, locker, safe, almirah, or other receptacle...” if they don’t have the keys. It further allows them to “gain access by overriding the access code to any said computer system, or virtual digital space” if passwords aren’t available.
The second part of this provision has sparked concerns among legal experts. They argue it effectively gives tax officials the power to hack into personal computers, phones, emails, and social media accounts if someone refuses to provide access.
What does this mean for digital privacy?
Tech lawyer Dhruv Garg, speaking to Decode, raised concerns about data privacy in the new Income Tax Bill. He explained that the bill defines "virtual digital space" broadly, encompassing both digital elements and physical infrastructure like servers. This, he noted, blurs the boundary between the virtual and physical world, raising potential privacy issues.
"This has the potential to challenge the existing paradigm of privacy in India," Garg warned. He explained that the Digital Personal Data Protection Act, 2023 (DPDP Act) is designed to avoid conflicts with other laws.
"Operational safeguards for the exercise of access powers to such a wide scope of virtual space may be necessary to ensure that the privacy protections under the nascent DPDP framework can be preserved," he added.
According to Rahman, this bill, when it becomes a law, would formalise what has already been an “unofficial practice” within tax and intelligence agencies.
He said, “If this bill becomes law, authorities wouldn’t necessarily need a person's cooperation to access their information. While there may be an obligation on the individual, if they refuse to comply, authorities can still seek technical assistance from others to obtain the data.”
Citing Article 265, Rahman argued that taxation is incidental to governance, not its foundation. "The basis of governance is safety and security," he said, pointing out that income tax was introduced by the British as a revenue tool, not a core principle.
If framed as a security measure, the proposed law might have some justification, he admitted. "But merely recovering tax doesn’t justify violating personal privacy," he warned.
Since only a small fraction of Indians pay income tax, the law won’t directly impact most citizens. "This is a creeping expansion of state power," he said, recalling similar concerns from the Aadhaar case.
Can this law withstand constitutional scrutiny?
The Puttaswamy judgment (2017), famously known as the right to privacy judgment, established privacy as a fundamental right, but it also recognised that the government can, in some cases, legally infringe on informational privacy.
Garg acknowledged this balance, stating, "Government powers can sometimes legally infringe the informational privacy of Indian citizens, but the constitutional implications must be analysed on a case-by-case basis." The same, he noted, would apply to the new Income Tax Bill once it becomes law.
However, he emphasised the need for caution. "From a practical perspective, governments should ensure such powers have a well-justified purpose and adequate safeguards to prevent misuse," he said.
Building on concerns about government overreach, Rahman pointed to a broader issue—the use of the money bill route to push through legislation without adequate scrutiny.
Rahman noted that in the Puttaswamy case, a key challenge was the government's use of the money bill route to avoid scrutiny.
He explained that the government argues any matter involving public expenditure can be passed as a money bill, which follows a less rigorous process. However, the legality of using money bills to regulate fundamental rights has been pending in the Supreme Court for years.
"This new bill also seeks to limit fundamental rights," he said, adding that “while its link to the Income Tax Act makes it more justifiably a money bill than others, the larger issue remains—money bills should not be used to rewrite fundamental rights”.
A money bill deals with taxation, borrowing, and government spending. It can only be introduced in the Lok Sabha, bypassing Rajya Sabha approval, which can only suggest changes. The Lok Sabha Speaker decides if a bill qualifies as a money bill.
On the other hand, an ordinary bill requires approval from both houses and undergoes a more rigorous process, allowing for debate and amendments in both Lok Sabha and Rajya Sabha.
Impact On Businesses And Investors
According to the experts, the bill also sets a troubling precedent for businesses, especially for foreign investors considering India.
Garg warned that since the new Bill could significantly expand tax authorities' access to digital platforms, including email servers, investment accounts, social media, and cloud storage, it would “put fintech companies, investment platforms, and digital banking services under greater scrutiny during tax investigations”.
"Such access could compromise client confidentiality, erode trust, and create operational challenges for these entities," he said.
Explaining how it could impact foreign investors, Rahman said, "A company looking to do business in India cannot even send an email freely, knowing the government can monitor it," he explained. "They can access my emails, see who I'm contacting—whether it's a competitor or a resource—without any obligation to maintain confidentiality."
He pointed out that while a higher officer's approval is required, these approvals are often given without scrutiny. "There’s no clear requirement to justify necessity. A fundamental rule of data protection is to access only what is necessary and only to the extent needed. This law ignores that entirely," he added.